Mon. Mar. 24. complex litigation cyberspace Constitutional Restrictions on Choice of Law.
CYBERSPACE AS A COMPLEX ADAPTIVE SYSTEM AND THE … · 2020. 2. 20. · The overall implication of...
Transcript of CYBERSPACE AS A COMPLEX ADAPTIVE SYSTEM AND THE … · 2020. 2. 20. · The overall implication of...
-
CYBERSPACE AS A COMPLEX ADAPTIVE SYSTEM AND THE POLICY AND OPERTIONAL
IMPLICATIONS FOR CYBER WARFARE
A Monograph
by
Major Albert O. Olagbemiro
United States Air Force
School of Advanced Military Studies United States Army Command and General Staff College
Fort Leavenworth, Kansas
AY 2014-001
Approved for Public Release; Distribution is Unlimited
-
REPORT DOCUMENTATION PAGE
1.
4. TITLE AND SUBTITLE
6 . AUTHOR(S)
GBEM IR
Major.
2. REPORT TYPE
PTI
YB
aster's Thesis
ND TH E POLI C Y
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
eneral StafT College
D timson Ave.
Fon Leaven,•onh, KS 66027-230 I
9. SPONSOR.ING/MONITOR.ING AGENCY NAME(S) AND ADDRESS( ES)
12. DISTRIBUTION/AVAILABILITY STATEMENT
pproved for public release; distribution is unlimited
13. SUPPLEMENTARY NOTES
14. ABSTRACT
Sa.
Sb. GRANT NUMBER
Sc. PROGRAM ELEMENT NUMBER
Sd. PROJECT NUMBER
Se. TASK NUMBER
Sf. WORK UNIT NUMBER
8. PERFORMING ORGANIZA-TION REPORT NUMBER
10:-SPONSORIMONITOR'S ACRONYM(S)
11 . SPONSOR/MONITOR'S REPORT NUMBER(S)
The overall implication of depicting cyberspace as a complex. adaptive ecosystem is that it provides an avenue for funher insight and understand in of the complexities associated with operating in cyberspace. This renewed reality highlights a source of vulnerability, a potential threat to national
security. due to the intermixing of public and private infrastructure and the reliance of the United Sta tes Government (USG) on infrastructure
owned and operated by the private sector. The fact that mosL if not all, of the underlying infi
comrollcd and managed by non-state entities means that the USG most recognize the power
distur ber of the familiar international order because the major actor that constitutes and defines intern
comrol cyberspace or to insulate itself from the implications of the new cyber realities. This recogni ti
tl10t is primarily ofTensive in nature bener serves the US, especially in regards to the protect ion o f the
1S. SUBJECT TERMS
omplex Adaptive System, Cyberspace, lnfosphere, Cyber Warfare ber Ecosvstem
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF a. REPORT b. ABSTRACT c. THIS PAGE ABSTRACT
18. NUMBER l19a. NAME OF RESPONSIBLE PERSON OF
nclassi lied nclassi lied nclassi lied PAGES
7 19b. TELEPHONE NUMBER {Include area code)
Standard Form 298 (Rev. 8/98) PreSOlbed by ANSI Sid Z39 18
Adobe Profe1.1.1onaJ 7 0
-
MONOGRAPH APPROVAL
Name of Candidate: Major Albert O. Olagbemiro
Monograph Title: Cyberspace as a Complex Adaptive System and the Policy and Operational Implications for Cyber Warfare
Approved by:
__________________________________, Monograph Director Jeffrey J. Kubiak, Ph.D.
__________________________________, Seminar Leader Charles M. Evan, COL, FA
___________________________________, Director, School of Advanced Military Studies Henry A. Arnold III, COL, IN
Accepted this 22nd day of May 2014 by:
___________________________________, Director, Graduate Degree Programs Robert F. Baumann, Ph.D.
The opinions and conclusions expressed herein are those of the student author, and do not necessarily represent the views of the U.S. Army Command and General Staff College or any other government agency. (References to this study should include the foregoing statement.)
i
-
ABSTRACT
CYBERSPACE AS A COMPLEX ADAPTIVE SYSTEM AND THE POLICY AND OPERATIONAL IMPLICATIONS FOR CYBER WARFARE, by Major Albert O. Olagbemiro, USAF, 47 pages.
The overall implication of depicting cyberspace as a complex, adaptive ecosystem is that it provides an avenue for further insight and understanding of the complexities associated with operating in cyberspace. This renewed reality highlights a source of vulnerability, a potential threat to national security, due to the intermixing of public and private infrastructure and the reliance of the United States Government (USG) on infrastructure owned and operated by the private sector. The fact that most, if not all, of the underlying infrastructure for seamless cyber interactions are controlled and managed by non-state entities means that the USG most recognize the power of the private sector in cyberspace. This represents a disturber of the familiar international order because the major actor that constitutes and defines international relations (the state) is not able to control cyberspace or to insulate itself from the implications of the new cyber realities. This recognition suggests that adopting a policy position that is primarily offensive in nature better serves the US, especially in regards to the protection of the cyber ecosystems of the private sector. Specifically it proposes that offensive cyber attacks should not be limited to only the authorized entities of the United States military, but should be expanded to include authorized entities in the private sector. Central to this proposition is the introduction of a new element of operational art specific to the cyber realm to guard against unintended consequences—the operational art element of precision.
ii
-
TABLE OF CONTENTS
ACRONYMS .................................................................................................................................. iv
ILLUSTRATIONS ........................................................................................................................... v
INTRODUCTION ............................................................................................................................ 1
Research Question and Design ................................................................................................... 2
SEEDS OF COMPLEXITY ............................................................................................................. 3
US Response ............................................................................................................................... 4 Strategic Discourse ..................................................................................................................... 6
THE THEORY OF THE PHENOMENON: REDEFINING CYBERSPACE ................................. 9
Cyberspace as an Ecosystem ..................................................................................................... 11 Role of the Infosphere ............................................................................................................... 15 The Cyber Ecosystem as a Complex Adaptive System ............................................................ 17
THEORY OF ACTION: PREDICTABILITY IN CYBERSPACE OPERATIONS ..................... 20
On Mutual Cyber Deterrence .................................................................................................... 22
TOWARDS AN OPERATIONAL THEORY FOR CYBER WARFARE .................................... 23
Managing the Positive Feedback Effect .................................................................................... 31 Operational Implications ........................................................................................................... 32 Precision as an Operational Art Element in Cyberspace Operations ........................................ 34 US Policy Implications ............................................................................................................. 35
CONCLUSION .............................................................................................................................. 37
BIBLIOGRAPHY .......................................................................................................................... 42
iii
-
ACRONYMS
ARPAnet Advanced Research Projects Agency network
CARL Combined Arms Research Library
CAS Complex Adaptive System
CGSC U.S. Army Command and General Staff College
CW Cyber Warfare
DOD Department of Defense
EMR Electromagnetic Radiation
EMS Electromagnetic Spectrum
EW Electronic Warfare
MMAS Master of Military Art and Science
MR Military Revolution
RMA Revolution in Military Affairs
SAMS School of Advanced Military Studies
SeE Socio Ecological Ecosystem
US United States
USG United States Government
iv
-
ILLUSTRATIONS
Figure 1. Cyber Triad. ...................................................................................................................... 9
v
-
In the information-communication civilization of the 21st Century, creativity and mental excellence will become the ethical norm. The world will be too dynamic, complex, and diversified, too cross-linked by the global immediacies of modern (quantum) communication, for stability of thought or dependability of behavior to be successful.
―Timothy Leary, Chaos & Cyber Culture
INTRODUCTION
Actors across all levels of society use cyberspace with each actor having different roles,
motivations, and intentions. Associated complexities of safeguarding cyberspace contribute to the
lack of a United States (US) policy for operating in cyberspace. This conceptual disorder stems
from the current definition of cyberspace which fails to acknowledge the human dimension of
cyberspace and the multiplicity of variables resulting in emergent properties, which arise due to
the co-mingling of both public and private sector actors in cyberspace. The result is a form of
social entropy in which social distinctions between state and non-state actors all but disappears,
leading to a situation of jurisdictional arbitrage in which both state and non-state actors are able to
exploit the relative anonymity in which cyberspace confers during cyber operations.1
The current situation requires a paradigm shift that rejects the prevailing conventional
science and embraces a revolutionary approach.2 This transition from conventional to a
revolutionary science requires a new theory of the phenomenon of cyberspace. This new theory
suggests that cyberspace is not a domain, but is rather a socio-ecological ecosystem—an instance
of a dynamic complex adaptive system. This socio-ecological ecosystem exists within a much
larger information environment, known as the infosphere. It is this infosphere that constitutes the
domain and not cyberspace. As the domain, the infosphere serves as the overall universe of
physical and cognitive communication processes.
1Nir Kshetri, “Pattern of Global Cyber War and Crime: A Conceptual Framework,” Journal of International Management 11, no. 4 (December 2005): 541-62, doi:10.1016/j.intman.2005.09.009 (accessed 7 February 2014).
2Thomas S. Kuhn, The Structure of Scientific Revolutions, 4th ed. (Chicago: The University of Chicago Press, 2012), 5-6.
1
http://dx.doi.org/10.1016/j.intman.2005.09.009
-
By conceiving cyberspace as a socio-ecological ecosystem, the critical importance of the
civilian private sector further emerges due to the reliance of United States Government (USG)
entities on a cyber infrastructure predominantly owned and operated by organizations in the
civilian private sector. The implications of this revisionist approach leads to a theory of action,
which suggests the concept of mutually assured cyber deterrence offers limited operational utility
in the cyber realm. The new paradigm suggests the USG is better served by adopting the theory of
action more offense-minded as the cornerstone of its policy. Key to the successful adoption of
this policy is the introduction of the new operational art element of precision that is specific to the
cyber realm. It emerges as an operational art element because of the need to guard against
unintended consequences associated with offensive cyber attacks.
Research Question and Design
The focus of this monograph is, therefore, to answer the following question. Given the
current lack of a USG policy, can the tenets of complexity theory provide a roadmap for
operating in cyberspace? The context supporting this line of inquiry are cyber-attacks against US
private and public sector entities, to include the US Department of Defense (DOD), during
nominal peacetime conditions in other than formally declared acts of war. Any findings along this
line of inquiry could potentially have significant operational implications for the USG. The
findings would help shape development of a USG policy for operating in cyberspace, from which
an overt policy for the DOD and private sector policy could be deduced.
The objective of this research is to seek a US operational strategy for operating in
cyberspace. Achieving the stated research objective requires a three-step process. The first step
involves bringing coherence to current reasoning in the state of the art by developing a broad,
ontological taxonomy of cyberspace. With this step comes a suggested paradigm shift, which is
critically important given the proliferation of competing viewpoints and terminology surrounding
cyberspace. Thus, the structure of knowledge as pertains to its current depiction needs to be 2
-
reconciled. The argumentation in this step points to the idea that the current DOD definition of
cyberspace, which largely shapes current US narrative and permeates the public sphere, is flawed.
The output of this step is a new theory of the phenomenon of cyberspace. The next step seeks to
answer the core research question by building on the new theory of the phenomenon of
cyberspace. This step proposes a theory of action, an operational theory for operating in
cyberspace based on the renewed conceptualization of cyberspace. Finally, the monograph
discusses the implication of this new theory.
SEEDS OF COMPLEXITY
The term cyberspace is fundamentally an abstraction. As an abstraction, it manifests itself
into physical reality through the Internet. The physical manifestation of cyberspace is necessary
because it needs an underlying means to exist in the physical realm—a mechanism, which the
Internet provides in the form of a worldwide, publicly accessible series of, interconnected
computer networks. The concept of open architecture networking was central to the design of the
Internet with the idea of individual networks, independent of each other, possessing and
presenting their own unique interface for integration, thereby creating a network of networks.
While the concept of open-architecture networking is the most powerful feature of the
Internet, it is, however, also its weakness as anyone can connect to the Internet without
constraints on the types or geographic scope of networks. This open-architecture networking
concept makes it simple for hostile cyber participants to connect to the Internet. Furthermore,
communication within this network of networks is primarily enabled by commercial entities
through multiple interconnected backbones, called “Tier 1” providers who provide the underlying
infrastructure (e.g., routers, switches, etc.) through which data is transmitted.
3
-
As it currently stands, these Tier 1 providers carry up to 98 percent of all USG
communication traffic.3 One aspect of the complexity associated with operating in cyberspace
stems from the USG reliance upon a physical infrastructure controlled and managed by non-state
entities—the civilian private sector. This near-complete intermixing of civilian and government
computer infrastructure, therefore, makes civilian infrastructure and civilian providers legitimate
targets under the law of armed conflict.4 Further complicating the situation is the unintended
consequences that can arise during a cyber attack due to co-mingling of USG and civilian actors.
Hence, the central challenge of operating in cyberspace arises because an attacker can never be
100 percent certain that the action will affect only the intended target.
US Response
To address the complexity associated with operating in cyberspace, the Bush
Administration rolled out its first public strategy document, National Strategy to Secure
Cyberspace, in 2003. This document correctly acknowledged the transversal nature of
cyberspace, and outlined a strategy hinged on public-private partnership efforts. The Joint Chiefs
of Staff (JCS) published the National Military Strategy of the United States of America (NMS)
and the National Military Strategy for Cyberspace Operations (NMS-CO) in 2004 and 2006
respectively. Of note, the 2004 NMS included the term “cyberspace” for the first time as one of
the domains of the battle space along with air, land, sea, and space. The 2006 NMS-CO took
things a step further by focusing specifically on the characterization of this cyberspace domain,
and proposed a strategic military framework to ensure US military superiority in cyberspace.5
3Eric Jensen, “Cyber Warfare and Precautions against the Effects of Attacks,” Texas Law Review 88 (1 June 2010), http://ssrn.com/abstract=1661218 (accessed 3 March 2014).
4Ibid. 5US Department of Defense, The National Military Strategy For Cyberspace Operations
(Washington, DC: 2006), 1-54.
4
-
In 2011, DOD released its Strategy for Operating in Cyberspace. This document came on
the heels of the Obama Administration’s International Strategy for Cyberspace, also published
2011. Taking into consideration several strategic themes, the Obama strategy document noted that
the development of norms for state conduct in cyberspace did not require a reinvention of
customary international law, nor did it render existing international norms obsolete.6 The 2011
DOD strategy further complemented the Obama strategy document, which called for the
enhancement of the United States Military’s capabilities by outlining a list of initiatives
associated with the establishment of cyberspace as an operational domain.7
At the core of both these documents was the notion of developing and enhancing existing
alliances to strengthen collective cyber security. The documents argued that the development of
internationally shared situational awareness and warning capabilities would enable collective self-
defense and collective deterrence.8 However, the limitations of such an alliance-based approach
are best exemplified by the limited success of the Budapest Cybercrime Convention, which
despite its existence for over ten years, has been ratified by only forty-one nations out of more
than 190 countries worldwide.9
Furthermore, recent allegations leveled against the United States of alleged cyber
surveillance and collection by its National Security Agency (NSA) could potentially hinder any
meaningful form of large-scale international cooperation in the cyberspace. Such allegations,
while not constituting a new paradigm, serve to reaffirm the existing reality that, “allies spy on
allies,” and it all comes down to self-interest. A friend today may not be one tomorrow.
6Office of the President of the United States of America, International Strategy for Cyberspace: Prosperity, Security, and Openness in a Networked World (Washington, DC: 2011), 1-30.
7US Department of Defense, Department of Defense Strategy for Operating in Cyberspace (Washington, DC: 2011), 1-19.
8Ibid. 9“Convention On Cybercrime CETS No.: 185,” Council of Europe, http://conventions.coe.int/
Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=&CL=ENG (accessed 13 February 2014).
5
-
Therefore, the effectiveness of any alliance-based strategy remains dubious, especially one in
which the United States might play a dominant role, as potential allies would be inclined to
cooperate meaningfully only to the extent that the cooperation serves mutual interests.
While selected bi-laterally negotiated agreements could potentially offer a pathway for
large-scale international cooperation, the reality is the United States may have to occasionally
resort to tacit approaches without explicit agreement of the international community.10
Alternatively, the United States can also impose cooperation. Under this alternative, the United
States, as the stronger party, and possibly the party with the most to lose in cyberspace, could
force its allies in the international community to alter their policies. The problem with this
approach, however, is the United States does not currently have a domestic policy regarding
cyberspace. This is because the definition of cyberspace, as currently proposed, is self-limiting.
Thus, a new conceptualization of cyberspace is required.
Strategic Discourse
The perception that cyberspace is a domain where fighting takes place and requires
domination, pervades the United States military thinking on the subject of cyber war.11 As of
2014, DOD defined cyberspace as:
A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.12
10Helen Milner, “International Theories of Cooperation among Nations Cooperation among Nations” by Joseph Grieco; Saving the Mediterranean by Peter Haas: Strengths and Weaknesses,” World Politics 44, no. 3 (April 1992): 96, 466.
11Richard A. Clarke and Robert Knake, Cyber War: The Next Threat to National Security and What to Do About It (New York: Ecco, 2010), 26.
12US Department of Defense, Joint Publication 1-02, Department of Defense Dictionary of Military and Associated Terms (Washington, DC: US Government Printing Office, 8 November 2010), 64.
6
-
This definition is correct in that it correctly acknowledges the existence of cyberspace
within the information environment. It falls short because it is void of the social contextual
factors of today’s prevailing reality. Essentially the definition represents a failure to correctly
recognize cyberspace for the Military Revolution (MR) that it is. The tendency is to characterize
cyberspace primarily as a Revolution of Military Affairs (RMA) without recognizing its
contextual relationship with civil society. This distinction is critically important because MRs and
RMA are two separate, but related concepts that are not interchangeable.
It is how one conceptualizes MRs and distinguishes it from RMA that forms the core of
the debate.13 Key to understanding the relationship between MRs and RMA is the recognition that
MR represents a larger revolution, made up of smaller RMAs.14The characteristics of RMA are
such that it involves major changes in the nature of warfare brought about by advances in military
technology, which combined with dramatic changes in doctrine and organizational concepts,
fundamentally alter the character and conduct of military operations.15 A MR on the other hand is
the product of different forces, and includes a social wave characterized by an outgrowth of
changes in economic production—the way humans make war reflects the way they make
wealth.16 In the current social wave—the Information Age—information is the key source of
wealth and power. This reality leads to a new kind of war in which information is the new
13Michael Thompson, “Military Revolutions and Revolutions in Military Affairs: Accurate Descriptions of Change or Intellectual Constructs?” 83 -108, http://artsites.uottawa.ca/strata/doc/strata3_ 082-108.pdf (accessed 29 March 2014).
14Ibid., 95. 15Elinor Sloan, “Canada and the Revolution in Military Affairs: Current Response and Future
Opportunities,” Canadian Military Journal (Autumn 2000): 7, http://www.journal.forces.gc.ca/vo1/ no3/doc/7-14-eng.pdf (accessed 30 March 2014).
16Thompson, 93.
7
-
strategic asset, and control of information will not only be the ends of war, but the means of
war.17
Consequently, there are two different narratives for classifying cyberspace. The first
narrative suggests that if the United States is indeed facing a MR (i.e., the Information Age
represents a MR), then the United States policy debate should transcend issues of technology and
operations from a political, economic, and social perspective, and include the fundamental
aspects of defense policy.18 On the other hand, the second narrative suggests that if we are facing
an RMA, then the challenge is manageable within the current DOD framework, so long as it
maintains the ability to innovate.19 However, cyberspace is a MR, and because a MR is a product
of deep, varied social forces, it is less controllable and often beyond the control of DOD future-
oriented or strategic thinkers.20 It is apparent that DOD has de-linked cyberspace from the
broader MR. DOD continues to treat cyberspace solely as a RMA because it allows DOD to
retain control, as RMAs are generally susceptible to institutional direction.
The problem, however, is that by treating cyberspace as an independent RMA, DOD has
largely ignored the fact that virtually all of the USG public sector, to include DOD, relies on an
underlying infrastructure owned and operated by the private sector. It also ignores the amount of
social activity, especially commerce, which takes place in cyberspace. By ignoring the political,
economic, and social impacts of cyberspace attributable to civil society, it appears DOD has
essentially defaulted to a position that technology is an underlying factor and cause of a MR.
However, technology is an underlying factor, but not necessarily the cause of a MR.
17Thompson, 93. 18Ibid., 96. 19Ibid. 20Ibid.
8
-
This is why the current characterization of cyberspace as a domain is flawed. It focuses
solely on the technical aspects of cyberspace and fails to acknowledge the importance of the
human actor. This subtle, but important observation has severe operational consequences and
contributes to the current discourse surrounding the development of a US policy for operating
cyberspace. As the institution largely responsible for pioneering the use of cyberspace, the
epistemology as developed by DOD plays a huge role in shaping US discourse on the topic.
THE THEORY OF THE PHENOMENON: REDEFINING CYBERSPACE
There is a need to provide a revised definition of cyberspace to help refocus the debate.
This new definition must acknowledge and incorporate the role of the human actor. Key to this
new conceptualization is the notion that cyberspace consists of three primary dimensions. Each of
these dimensions represents a logical grouping of the primary actors (someone or something,
which has a capacity to interact) in cyberspace; these are the human, application, and
infrastructure dimensions. Collectively, these dimensions make up the cyber triad. Figure 1
below, provides a depiction of this notional cyber triad.
Figure 1. Cyber Triad.
Source: Created by author.
9
-
This cyber triad represents a system of regularly interacting and interdependent
dimensions forming a unified whole in the broader universe of information. The application
dimension represents the underlying software applications (e.g., operating systems, computer
applications, etc.) which computers run on or use to deliver value to an end user. The
infrastructure dimension constitutes the mediums, platforms, and hardware devices through which
data storage, transfer, and communication occurs. The human dimension represents the human
actor and its role in consuming and or contributing value in the cyber triad, and includes all users
of cyberspace, as well as the engineers and researchers who contribute to the development of the
application and infrastructure dimensions of the cyber triad.
Of particular importance in this new conceptualization is the implicit recognition that the
cyber triad exists within the context of an information environment known as the infosphere. This
infosphere constitutes the broader domain rather than cyberspace itself. Cyberspace does not
constitute the domain because it is a man-made environment used to exploit other domains. At its
core, it is merely a digital environment that is ubiquitous in nature. This begets the question—if
cyberspace is not the domain, what is cyberspace? This monograph argues that cyberspace is an
ecosystem, a complex adaptive system to be precise, which exists within an environment known
as the infosphere. This perspective represents a crucial point of departure from conventional
thinking because the conceptualization of cyberspace as an ecosystem within the infosphere fully
illuminates the complementary role in which cyberspace plays with other information-centric
forms of war such as electronic warfare within the broader spectrum of information operations.
Key to this line of departure is a recognition that cyberspace operations are
fundamentally conducted to influence decisions or the decision-making process, be it a machine
or the human decision maker, through the manipulation of ones and zeroes. The development of
the requisite ontology surrounding cyberspace requires the acknowledgment of the importance of
the human dimension as well as the understanding that cyberspace is an open-system—a key trait
10
-
of a complex adaptive system. Since it is as an open-system, it would interact with other entities
within the infosphere, which implies that classical systems theory could offer some utility
towards the development of an operational theory for operating in cyberspace. The pursuit of this
line of inquiry requires the exploration of concepts native to the field of classical systems theory.
In this regard, the field of biological ecology provides an avenue to further illustrate the
applicability of classical systems theory to the cyber triad.
Cyberspace as an Ecosystem
By definition, an ecosystem (short for ecological system) is a community and its physical
environment treated together as a functional system.21 From a biological perspective, this
community consists of the living (biotic) organisms (e.g., plants, animals, and microbes) and the
non-living (abiotic) environment in which the living organisms exist (e.g., air, water, mineral
soil).22 The ultimate goal of the biotic agents in a biological ecosystem is survivability or
sustainability. In a biological ecosystem, the accomplishment of this goal is dependent on three
key processes.
The first of these processes concerns the flow of energy, and how it enters an
ecosystem.23 This is a critical process because energy is the most essential requirement of all
living organisms in a biological ecosystem.24 The second process focuses on the trophic (feeding)
structure in order to understand the cycle of materials within an ecosystem. The trophic structure
is a hierarchical classification of the organisms in a given ecosystem. The hierarchical structure is
primarily dependent on the energy source that an organism relies upon, and how the organism
21F. Stuart Chapin, P. A. Matson, and Harold A. Mooney, Principles of Terrestrial Ecosystem Ecology (New York: Springer, 2002).
22Ibid. 23“Environmental Biology—Ecosystems,” http://www.marietta.edu/~biol/102/ecosystem.html#
Energyflowthroughtheecosystem3 (accessed 14 February 2014). 24Ibid.
11
-
provides energy for other organisms in the food web. Essentially, this is an interlocking series of
“who” eats “whom,” commonly called a food chain. 25 Abiotic factors also play an important role
in this food chain because climate will decide which food resources, and how much water and
sunlight are available to organisms in any given environment.26 The third process focuses on the
emergent behavior, which arises due to changes occurring in the ecosystem.
Similar to a biological ecosystem, the cyber triad is a community and its physical
environment interacting together as a functional system. In this case, the cyber triad constitutes
the ecosystem. This ecosystem is the cyber-ecosystem. The human dimension denotes the biotic
component, while the infrastructure and application dimensions denote the abiotic components in
the cyber-ecosystem. The desired goal of the biotic component in the cyber ecosystem is
survivability. Survivability is the ability of the cyber ecosystem to function continually during
and after a disturbance.27 It requires the biotic component to maintain a position of continuing
advantage given the disturbances introduced by competing social, political and economic factors
in cyberspace.
The first biological process (energy flow) occurs when energy from the sun enters a
biological ecosystem. This energy enters the ecosystem as solar radiation. Therefore, solar energy
serves as the key energy source, which sustains the continuous cycle of life in a biological
ecosystem. The requirement for energy flow process is conceptually satisfied in a cyber
ecosystem through an organization’s intellectual capital—knowledge. Intellectual capital is the
25Environmental Biology–Ecosystems.” 26“Food Web Background,” http://www.seagrant.sunysb.edu/ifishny/pdfs/lessons/inclass/
elementary/FoodWeb-Background.pdf (accessed 3 April 2014). 27C. A. Kamhoua and K. A. Kwia, “Survivability in Cyberspace Using Diverse Replicas: A Game-
Theoretic Approach,” Journal of Information Warfare 12, no. 2 (23 July 2013), http://www.jinfowar.com/ survivability-in-cyberspace-using-diverse-replicas-a-game-theoretic-approach/ (accessed 3 April 2014).
12
-
most essential requirement of the biotic actor, and it is the key energy flow required to sustain the
cycle of competiveness in the cyber ecosystem. Without it, the cyber ecosystem ceases to exist.
The intellectual capital of a cyber ecosystem is knowledge and it includes all non-
monetary and non-physical resources that contribute to the value creation of the cyber
ecosystem.28 Intellectual capital includes the ability to understand the changing nature of
technology as well as the continuous evolution of the cyber environment. Not only is intellectual
capital the key source of energy for the cyber ecosystem, it is also the only material which is
manifested and cycled within an ecosystem in the form of technical expertise. This technical
know-how in turn translates into securing or improving one’s position of relative advantage in the
infosphere.
Just like the biological ecosystem, the cyber ecosystem also has a trophic (feeding)
structure (second biological process). A rather simplistic illustration of the trophic structure is a
scenario in which the human actor, as the sole biotic actor in the cyber ecosystem, consumes
information created by an application in the application dimension. An application in the
application dimensions, in turn, consumes resources (e.g., processors) in the infrastructure
dimension. This rather simplistic scenario of a cyber trophic structure does not imply there is only
one order possible from any producer to any one ultimate consumer. Rather it infers that in any
given cyber trophic structure, a complex structure consisting of a web of interactions could arise.
Besides being an open system, any given cyber ecosystem is not a unitary entity in an infosphere;
i.e., there are several cyber ecosystems within the infosphere. It is rather the fundamental
structure of all cyber ecosystems within the larger infosphere. Therefore, it is possible to talk
about primary consumers, secondary consumers, and even tertiary and quaternary consumers
when trying to understand the chain of interaction between each of the dimensions in the cyber
28Adapted from Eckhard Ammann, “A Hierarchical Modelling Approach to Intellectual Capital Development,” The Electronic Journal of Knowledge Management 8, no. 2: 182-183.
13
-
ecosystem.29 Similar to a biological ecosystem, given this complex web of interactions in
cyberspace, complexity begins to arise.
The third pertinent biological process (change process) is also a requirement for
survivability because the biological ecosystem must adapt to changes in both the biotic and
abiotic factors. This need for adaptation also gives rise to complexity because of the multiplicity
of interactions due to the trophic structure, which then introduces emergence into the ecosystem.
The introduction of emergent properties is such that the ecosystem assumes a new pattern of
behavior or structure, which more often than not is either unexplainable or unpredictable even
when the individual organisms in the ecosystem are studied.
The ability of the cyber ecosystem to change and adapt to changing conditions becomes a
requirement for continued survivability. Emergence arises in the cyber ecosystem due to the
varying forms of perturbations or feedback within the ecosystem. When an ecosystem is subject
to any sort of perturbation, it responds by moving away from its initial state to a new adapted
state.30 From a cyber perspective, this translates into a cyber ecosystem’s ability to adapt to
emergent conditions in order for it to continue to be a viable medium during cyber operations. Of
particular importance in this logic is the recognition that the need for adaptation is not constrained
to the actors in the human dimension (cyber operator) alone. Actors in both the application and
infrastructure dimensions, when purposely designed, are also capable of self-adaptation to handle
changing conditions such as system intrusions. Thus, the need for adaptation further puts a cyber
ecosystem into a new category of ecosystems. This is the category of dynamical ecosystems. This
29Michele Nash and Lisa Rapp, “Trophic,” Springfield Technical Community College, http://faculty.stcc.edu/biol102/Lectures/lesson12/trophicstruc.htm (accessed 14 February 2014).
30“Building a Dynamic Financial Ecosystem,” New Straits Times, 21 November 2012, http://www.nst.com.my/opinion/columnist/building-a-dynamic-financial-ecosystem-1.174254 (accessed 14 February 2014).
14
-
further leads to the conceptualization of the cyber ecosystem as being a dynamic, complex
adaptive system.
Role of the Infosphere
Any action within the infosphere is fundamentally an information operation, and cyber
operations (activities conducted in cyberspace) represent just one type of an information
operation. The idea of the existence of a “virtual space” out there, connected to, but often
removed from real physical spaces provides the basis for conceiving cyberspace as an
ecosystem.31 The infosphere is the virtual space, which serves as the overall universe of physical
and cognitive communication processes. It encompasses all aspects of information centric
operations ranging from electronic warfare to psychological operations. The infosphere is also the
entity that DOD doctrine refers to as the information environment in which humans and
automated systems observe, orient, decide, and act upon information.32
Native to the infosphere is a form of energy known as electromagnetic radiation (EMR),
which enables wireless communications. The propagation of EMR occurs through
electromagnetic waves with the full range of frequencies ranging from radio waves, gamma rays,
and visible light, all constituting the electromagnetic spectrum (EMS).
When it comes to the world of wireless communications, the waveforms beneath visible
light enable wireless transmissions beyond direct point-to-point connections. As the key enabler
of wireless communication in the infosphere, the EMS has a symbiotic relationship with
cyberspace because cyberspace routinely requires wireless in addition to wired links to transport
information. Since cyberspace operations require the use of the EMS for enabling full effects in
31Adapted from Stephen D. McDowell, Philip E. Steinberg, and Tami K. Tomasello, Managing the Infosphere: Governance, Technology, and Cultural Practice in Motion (Philadelphia: Temple University Press: 2008), 10.
32US Department of Defense, Joint Publication 3-13: Information Operations (Washington, DC: 2010).
15
-
cyberspace, viewing the cyber ecosystem as an open-system encapsulated by the infosphere in
which EMR facilitates wireless interactions offers greater utility in the current discourse for two
key reasons.
First, it highlights the problems with characterizing cyberspace as a domain. The core
objective of warfare in any given domain is to achieve a degree of control within the domain.
This objective gives rise to terms such as air, maritime, space and land superiority, which reflect
duration-specific command of the respective domains. If cyberspace is treated as a domain, then it
is possible to generate the concept of cyber superiority. The problem is that the idea of cyber
superiority shifts the focus away from the larger objectives sought by operating in cyberspace. In
this regard, cyberspace should be viewed as a capability within the broader infosphere domain in
which information operations are conducted. Operating in cyberspace should not be the ends in
itself, but rather a means and ways within the context of the larger information environment.
Thus, just as Douhet and Corbett emphasized the need to establish command of the air and sea
domains respectively in order to achieve military objectives, so must one seek command of the
infosphere to achieve the desired objectives.
The second reason why this view offers greater utility in the current discourse is that it
lays to rest the question surrounding the issue of sovereignty in cyberspace. When one constructs
the cyber-triad as an open-system within the infosphere, the notion of sovereignty in cyberspace
collapses because open-systems do not respect state boundaries.33 This conflicts with current
interpretations of the concept of sovereignty, which provides the fundamental basis of the current
international order that hinges on the notion of supreme dominion, authority, or rule by a nation
33Adapted from K. Conca, “Rethinking the Ecology-Sovereignty Debate,” Millennium - Journal of International Studies 23, no. 3 (March 1994): 701-11, doi:10.1177/03058298940230030201 (accessed 14 February 2014).
16
-
state.34 Attempts to exercise national decision-making, adjudication, and authority do not
coincide with the fundamental ecological realities of an open-system, leading to the frustration of
any attempts to exercise sovereignty in cyberspace, however the state will continue to play an
important role in cyberspace.35Furthermore, it is the very belief that cyberspace should be free
from government interference or sovereignty, which led to the very idea of cyberspace in the first
place.36 Emphasis should be on the development of an understanding of the interactions between
the dimensions of the cyber triad and its surrounding environment.
The Cyber Ecosystem as a Complex Adaptive System
There is no concise, universal definition of a complex system to which everyone
ascribes.37 However, the phenomenological definition is that it exhibits nonlinear, emergent,
adaptive behavior.38 In cyberspace, this definition translates into the complex interconnections
and inter-relationships between the dimensions of a cyber ecosystem. Complexity only emerges
when the openness of the cyber ecosystem in relation to the infosphere is taken into
consideration, and the interactions between the dimensions of a given ecosystem are examined
from the perspective of both its internal dynamics as well as its relationship with the infosphere.
This perspective is crucial because, in order to fully understand how a dynamic system
evolves over time, all possible variables must be accounted for to determine how it is adapting or
responding to the changes. This holistic approach advances the viewpoint that a cyber ecosystem
34Lieutenant Colonel Patrick W. Franzese, “Sovereignty in Cyberspace: Can It Exist?” The Air Force Law Review, AFPAM 51-106 64 (2009): 8.
35Adapted from Conca. “Rethinking the Ecology-Sovereignty Debate.” 36Franzese, Sovereignty, 11. 37James Ladyman, James Lambert, and Karoline Wisener, “What Is a Complex System?” 1,
http://philsci-archive.pitt.edu/9044/4/LLWultimate.pdf (accessed 14 February 2014). 38James Moffat, Complexity Theory and Network Centric Warfare, Information Age
Transformation Series (Washington, DC: CCRP Publication Series, 2003), 51.
17
-
is a special instance of a complex system, which is a Complex Adaptive Ecosystem—a concept
synonymous with a Complex Adaptive System (CAS). A CAS is a dynamic system able to adapt
and evolve with a changing environment. By acknowledging the human dimension, cyberspace
becomes a coherent system of biophysical and social factors that regularly interact in a resilient,
sustained manner.39 Key to this realization is the understanding that the structure and behavior of
the cyber ecosystem changes over time in a way which tends to increase or decrease its success.40
Due to the changes in the structure and behavior of the cyber ecosystem, two key issues arise.
These issues center on the cognitive complexities associated with developing cyber awareness
and cyber understanding.41
Cyber awareness focuses on the what, where, and when questions.42 These awareness
related questions are in relation to the operational situation as exists at a given moment in time,
current or past.43 These questions essentially help determine “what is going on or what happened”
in a cyber ecosystem. Cyber understanding, on the other hand, is essentially the process of
making sense of the available information by focusing on the why and who questions, and
drawing inferences about possible consequences of the operational situation.44 Key to the
difference between these two concepts is where cyber awareness deals with the operational
environment, as it “was,” cyber understanding deals with the operational environment as it is
39C. L. Redman, M. J. Grove and L. Kuby, “Integrating Social Science into the Long Term Ecological Research (LTER) Network: Social Dimensions of Ecological Change and Ecological Dimensions of Social Change,” Ecosystems Vol.7 (2) (2004): 161-171.
40Paul Phister, “Cyberspace: The Ultimate Complex Adaptive System,” The International C2 Journal 4, no. 2 (2010–2011), 1-19, http://www.DODccrp.org/files/IC2J_v4n2_03_Phister.pdf (accessed 14 February 2014).
41Ibid. 42Ibid. 43Ibid. 44Ibid.
18
-
becoming.45 The goal of cyber understanding is to understand adversarial intentions or to make
sense out of seemingly disparate actions/information gleaned through cyber awareness.46
The development of cyber awareness and cyber understanding hinge on the ability to
detect intruders and anomalous conditions. Cyber understanding also hinges on the ability to
analyze and correlate the information garnered from the observations to understand attack sources
and intent, in order to respond to the threat. Cyber awareness and understanding remain critically
important, and can only be tackled when there is an inherent recognition that cyberspace is a
complex adaptive system.
Since the human dimension is a key component, cyberspace as CAS in a broader
infosphere is essentially a socio-ecological ecosystem (SeE). With this recognition comes the
acknowledgment that the traditional properties of a CAS are directly applicable in cyberspace
operations. These are the properties of nonlinearity, emergent behavior, and the interplay between
chaos and non-chaos. It is the understanding of the impacts of these properties that provide the
basis for the development of a theory of action for operating in cyberspace.
45Phister, “Cyberspace: The Ultimate Complex Adaptive System.” 46Ibid.
19
-
THEORY OF ACTION: PREDICTABILITY IN CYBERSPACE OPERATIONS
In the varied theories on non-linear complex systems, uncertainty and surprise is not the
exception, but the rule.47 This is due to the feedback effect—a critical attribute of non-linear
complex adaptive systems. The notion of the cyber ecosystem as being a SeE is to emphasize the
integrated concept of humans in cyberspace, and to stress that the delineation between social
systems and ecological systems is artificial and arbitrary.48 Supporting this viewpoint is the
notion that as a SeE, feedback mechanisms link the social ecological aspects of a cyber
ecosystem.49
In this SeE, learning occurs during normal, cooperative interaction between actors as well
as during a cyber conflict between belligerents with the resulting adaptation in response to the
learning being dependent on feedback. Therefore, the feedback effect is a means of
“communication” through which actors within any of the dimensions of the ecosystem receives
information back from its environment about its actions. As the actors within each of the
dimensions of the cyber ecosystem interact, the results of some interactions may influence future
interactions. This influence represents the feedback within the cyber ecosystem.
The dynamics of a given conflict are based on the interactions rather than the individual
actions of actors. In this regard, two types of feedback effects characterize the interactions:
positive and negative. Positive feedback influences the interactions between the dimensions in a
cyber ecosystem by building on previous actions with a resulting effect being that uninhibited
positive feedback can lead to exponential rates of growth in output and a cyber ecosystem
47Marion Glaser et al., “Human / Nature Interaction in the Anthropocene Potential of Social-Ecological Systems Analysis, 77,” http://www.dg-humanoekologie.de/pdf/DGH-Mitteilungen/GAIA200801_77_80.pdf (accessed 30 March 2014)
48Ibid. 49 Fikret Berkes, Johan Colding, and Carl Folke, eds., Navigating Social-Ecological Systems:
Building Resilience for Complexity and Change (Cambridge: Cambridge University Press, 2003), 3, accessed 10 April 2014, http://0-dx.doi.org.oasis.unisa.ac.za/10.1017/cbo9780511541957.
20
-
“exploding” into chaotic behavior.50 Negative feedback on the other hand dissuades the
continuous building-block effect in a cyber ecosystem by attempting to negate the previous
action, which leads to equilibrium, system “death,” and no activity at all.51
Given the importance of feedback effects in a cyber ecosystem, one can achieve a
continuing advantage during a cyber conflict by managing feedback effects. An increase in the
negative feedback effect would lead to improved stability of the cyber ecosystem. Likewise, an
increase in the positive feedback effect would lead to instability of the cyber ecosystem. On the
surface, this would seem to imply that one should strive for stability over instability due to the
ability to predict belligerent actions and their corresponding effects during a cyber conflict.
However, the notion of predictability introduces vulnerability. In warfare, being predictable is
potentially a vulnerability. The ability to manage perceptions and reactions of a designated target
becomes a key facet of conflict, an assertion articulated best by Sun Tzu:
Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment—that which they cannot anticipate.52
Vulnerability arises because the belligerents in a cyber war would share a common
operational picture, which could leave each side vulnerable due to their equal ability to gauge
each other’s actions and potential counter-actions during a cyber conflict. Thus, striving for
stability and the resulting predictability goes against a fundamental principle of war—the
principle of surprise. Since surprise is fundamentally a temporal phenomenon that results from
the combination of both time and readiness, it would requires that one strike the enemy at a time,
50John Cleveland, “Complexity Theory: Basic Concepts and Application to Systems Thinking,” http://www.swconnect.org/sites/default/files/Complexity_Theory_Basic_Concepts.doc.pdf (accessed 14 February 2014).
51Ibid. 52Philip Martin Mccaulay, Sun Tzu's the Art of War (S.l.: Lulu Com, 2009), 36.
21
-
place, or a manner for which he is unprepared in order to achieve a successful attack.53
Conversely, the perceived ability to gauge each other’s actions and employ countermeasures as
appropriate could also serve as a mutual deterrent to belligerents, which give rise to the
applicability of deterrence theory in cyber space.
On Mutual Cyber Deterrence
The theory of deterrence is a strategic concept focused on influencing the choices made
by an adversary.54 This is accomplished by influencing an adversary’s expectations of how one
would behave in response to a given action. In essence, it is concerned with discouraging an actor
from acting in ways that are advantageous to them, but harmful to you.55 Its utility as a potential
operational DOD strategy in cyber space arises when belligerents in a potential cyber conflict
seek the same operational strategy.
On the other hand, this could be a self-defeating endeavor because it is not decisive. A
near perfect scenario, in which the belligerents in a cyber conflict have the same equal
capabilities and vulnerabilities in their respective ecosystems, supports this point of view. In this
instance, if the belligerents seek to optimize predictability in their respective cyber ecosystems
via an increase in negative feedback effects, effectively creating a stalemate. The desired outcome
of relative advantage in the infosphere becomes untenable because their actions effectively cancel
out each other.
The notion of mutual deterrence as an operational theory for cyber warfare, however,
offers limited utility in most cyber conflicts because it might not be decisive. This is because
deterrence is a theory, which presupposes the intelligence and rationality of one’s opponent.
53Robert Leonhard, “Surprise,” 1-4, http://www.jhuapl.edu/ourwork/nsa/papers/surprise.pdf (accessed 3 March 2014).
54Thomas C. Schelling, The Strategy of Conflict (Cambridge, MA: Harvard University, 1980), 9. 55Ibid.
22
-
However, rationality as a concept remains subjective in nature because is bounded. It depends
upon the circumstances and preferences of the individual belligerents.56 Thus the belligerents in a
cyber conflict can each remain rational within their respective frameworks of understanding,
whether their frameworks of understanding are similar or diametrically opposed.
TOWARDS AN OPERATIONAL THEORY FOR CYBER WARFARE
As the newest entrant into the eternal phenomenon of war, it continues to be debated
whether cyber warfare qualifies as a true form of warfare. This is because pundits question the
applicability of Clausewitz’s definition of war to the cyber environment. They have gone as far as
to say, “Code can’t explode.”57 To address the ongoing discourse, the position taken in this
monograph is that conflict in the cyber realm constitutes a form of warfare in the classical sense.
Supporting this premise is the belief that where war is enduring in nature, warfare is subject to
change. Thus, where a theory of war seeks to explain the enduring nature of war based on four
continuities—a political dimension, a human dimension, the existence of uncertainty and the
contest of wills—a theory of warfare, seeks to explain the constantly changing means by which
one fights a war.58
Clausewitz defines war as an “act of force (physical force) to compel the enemy to do our
will.”59 By extending this definition to the cyber realm, one can metaphorically equate cyber
warfare to the “act or use of intellectual force” to compel the enemy to do one’s will. This line of
interpretation does not seek to deny the validity of Clausewitz definition of war, but rather seeks
56Lawrence Freedman, Deterrence (Cambridge, UK: Polity Press, 2004), 29. 57Gal Beckerman, “Is Cyber War Really War?” http://www.bostonglobe.com/ideas/2013/09/15/
cyberwar-really-war/4lffEBgkf50GjqvmV1HlsO/story.html (accessed 3 March 2014). 58“Maneuver Self Study Program: Nature and Character of War and Warfare,”
http://www.benning.army.mil/mssp/Nature%20and%20Character/ (accessed 14 February 2014). 59Carl von Clausewitz, On War, trans. Michael Howard and Peter Paret (Princeton, NJ: Princeton
University Press, 1976), 75.
23
-
to extend his classical definition of war into the metaphysical digital environment. Thus, the act
or use of this intellectual force leads to a “clash of intellect” between belligerents during a cyber
conflict. The upper hand goes to the party with the requisite intellectual capacity to skillfully
manipulate ones and zeroes in such a manner to outmaneuver the opponent. This is accomplished
through superior cyber awareness and understanding.
This clash of intellect also serves to reinforce an earlier assertion that it was intellectual
capital, as demonstrated by individual/organizational competence, that served as the key energy
flow required to sustain the cycle of competitiveness in a given cyber ecosystem. This is because
the human actor (human dimension) in the ecosystem creates the software application
(application dimension) using a programming language, which is executed on a platform
(infrastructure dimension) of the cyber ecosystem in “ones and zeroes.” This dialect of “ones and
zeroes” serves as the fundamental micro-level means through which human-instructions are
interpreted by a computer-based system and executed.
Furthermore, besides the interpretations drawn above, an international group of
independent experts recently reached a consensus that cyber operations constitute a use of force.60
Key to their proposition was an acknowledgement that while cyber warfare might lack a clear
kinetic parallel, a cyber operation constituted a use of force as long as the scale and effects were
comparable to non-cyber operations rising to the level of a use of force.61 An act (e.g., cyber
attack) need not have immediate physical consequences to comprise a use of force, although
60Michael Schmitt, “International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed,” Harvard International Law Journal 54 (December 2012): 19, http://www.harvardilj.org/wp-content/uploads/2012/12/HILJ-Online_54_Schmitt.pdf (accessed 3 March 2014).
61Schmitt, “International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed,” 19-20.
24
-
determining a “threshold” for the use of force in cases not involving physical harm presented a
dilemma.62
Given these interpretations and understanding, there is a consensus around the idea that
cyber warfare is a form of war within the broader phenomenon of war. Essentially, it is a conflict
conducted within the infosphere with the aim of influencing the will and decision-making
capability of the enemy in the theater of Computer Network Operations; attacks against this
network through ones and zeroes constitute a cyber attack.63
For a cyber attack to occur, three conditions must be present: 1) an opponent’s
vulnerability, 2) attacker’s access to the vulnerability, and 3) attacker’s capability to exploit the
vulnerability. The capability to exploit the vulnerability typically comes in one of two forms
depending on the pattern of exploitation: targeted attacks or opportunistic attacks.64 Targeted
attacks are directed against specific users or organizations, and normally employ a combination of
tools or techniques to accomplish the attacker’s objectives. Opportunistic attacks on the other
hand, are much more random in nature and rely on the element of “luck” as a key element of its
attack strategy. In this case, potential victims are randomly targeted en-mass with the hope that a
subset of the victims would fall prey to the attack vector.
Both state and non-state actors alike, driven by a combination of intrinsic and extrinsic
motivations, perpetrate both forms of attack. Furthermore, both types of attacks could be multi-
stage in character. For example, computer A penetrates computer B to use as a platform for
62Schmitt, “International Law in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed,” 20.
63Fred Schreier, “On Cyber warfare.” DCAF Horizon 2015 Working Paper No. 7, 25, http://www. google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCwQFjAB&url=http%3A%2F%2Fwww.dcaf.ch%2Fcontent%2Fdownload%2F67316%2F1025687%2Ffile%2FOnCyberwarfareSchreier.pdf&ei=sVcVU_D9JcShrgHi5YDoBA&usg=AFQjCNHSti4VD11zqhHbyC36ASV-0RLJ8g&bvm=bv.6 (accessed 3 March 2014).
64Kshetri, “Pattern of Global Cyber War and Crime: A Conceptual Framework.”, 541-62.
25
-
penetrating computer C, which is then used to attack computer D.65 It is the combination of these
issues that results in the often-mentioned attribution problem. The nature of the attribution
problem is such that it is often difficult, if not near-impossible, to determine with certainty who
an attacker is or if actors in cyberspace are operating independently or in support of a
state-sanctioned activity; a factor amplified by the relative anonymity that cyberspace offers.
Thus, nation-states have an avenue for espousing a stance of plausible deniability, even
though they might be active, albeit clandestine, proponents of cyber attacks against potential
adversaries. However, the reality is that given a sufficient amount of time and the right type of
tools, it is possible to trace the physical origins of every cyber attack because every cyber attack
leaves a digital footprint. When traced, if the attack cannot be directly linked to a state-sanctioned
activity, it is typically lumped into the category of cyber crime and passed on to law enforcement
agencies who typically attempt to pursue legal action. The issue with this approach is it fails to
acknowledge that, just as in normal everyday social interactions, there could potentially be
different dramaturgical perspectives at play in cyberspace.
War and crime are not totally disjointed phenomena. Although they have crucial
differences—war is usually conceived as a group action, whereas crime is an individual one—
they are cognitively linked.66 This is because war is fundamentally a legalized crime and crime is
war-like activity conducted outside of a governing legal framework. The strict relationship
65David Clark and Susan Landau, “Untangling Attribution,” Harvard Law School National Security Journal (16 March 2011): 1, http://harvardnsj.org/wp-content/uploads/2011/03/Vol.-2_Clark-Landau_Final-Version.pdf (accessed 13 February 2014).
66Teresa Degenhard “Between War and Crime: The Overlap between War and Crime: Unpacking Foucault and Agamben’s Studies within the Context of the War on Terror,” Journal of Theoretical and Philosophical Criminology 5, no. 2 (2013): 31-32, http://www.jtpcrim.org/July-2013/Article-2-Revision-for-Foucault-and-Agamben-Degenhardt-July-2013.pdf (accessed 5 April 2014).
26
-
between war and crime is apparent, especially in relation to the use of the metaphor, “war against
crime,” in political campaigns.67
As a theory of behavior, dramaturgy suggests that identity is not a stable and independent
psychological entity. This is because as the person interacts with others, that person is constantly
remaking their identity, leading to two different narratives—a front stage and backstage narrative.
Thus, in cyberspace, since an actor’s identity is not a stable and independent psychological entity,
potential acts of war against the civilian private sector could potentially be mis-categorized as a
cybercrime, and automatically placed under civilian criminal jurisprudence for resolution rather
than deducing the real cyber intent.
This is a reflection of the troubling tendency to treat cyber warfare and cyber crime as
mutually exclusive events and a failure to recognize that it is possible to have a criminal
dimension to a cyber conflict. Efforts must be made to draw corollaries between perceived
incidents of cyber crime to determine what the overall cyber intent is and whether or not it
constitutes an act of war. The efforts should focus on deducing the true cyber intent of targeted
attacks against the public and private sector entities.
DOD can also achieve greater operational synergies by adopting a perspective in which
cyberspace is viewed as an open-system within an infosphere because it would facilitate the
integration of technological based warfare. Current DOD doctrine divides technological based
warfare into two distinct forms of warfare: Electronic Warfare (EW) and Cyber Warfare (CW).
Current DOD doctrine defines EW as military action involving the use of electromagnetic and
directed energy to control the electromagnetic spectrum or to attack the enemy.68 DOD doctrine
67Degenhard “Between War and Crime: The Overlap between War and Crime: Unpacking Foucault and Agamben’s Studies within the Context of the War on Terror.”, 34.
68US Department of Defense, Electronic Warfare, Joint Publication 3-13, I-2 (Washington, DC: US Government Printing Office, 25 January 2007).
27
-
also defines CW as military operations conducted to deny an opposing force the effective use of
cyberspace systems and weapons in a conflict.69
Where EW focuses on electronic attack, electronic protection, and electronic warfare
support, CW focuses on cyber attack, cyber defense, and cyber enabling actions. However, there
are operational concerns across both forms of warfare, which complement each other and can be
used to overcome their individual limitations.
A perfect example of the synergies, herein dubbed the “access-proximity” solution,
occurs when EW capabilities are used to solve CW-related issues of proximity; likewise, CW is
used to solve EW-related issues of access. When these synergies are fully exploited, EW
capabilities may serve as a means of accessing otherwise inaccessible networks to conduct
cyberspace operations, presenting new opportunities for offensive action as well as the need for
defensive preparations.70 This is because EW does not have an access problem, since directed
energy can either destroy or control anything in its path. Rather it has a proximity problem due to
the possibility of the obstruction or interference with the directed energy. On the other hand, CW
does not have a proximity problem. It has an access problem because the successful prosecution
of an attack is predicated on the existence of vulnerability in a given cyber ecosystem. Therefore,
by leveraging the respective strengths of each of these forms of warfare, one can overcome their
individual limitations. This leads to the conceptualization of Cyber-Electro warfare as a new form
of warfare. .
While there is a growing recognition across the Unites States military services of the
relationship between the cyberspace and the EMS, this recognition stems purely from operational
69US Department of Defense, Joint Chiefs of Staff, Joint Terminology for Cyberspace Operations, by James E. Cartwright, Memorandum, 8 (Washington, DC: 2010).
70US Government Accountability Office, GAO-12-479, Electronic Warfare: DOD Actions Needed to Strengthen Management and Oversight, (Washington, DC: July 2012), 27.
28
-
necessity rather than an ontological understanding of cyberspace. This assertion hinges on the
premise that the DOD definition of cyberspace remains fundamentally flawed because cyberspace
is a complex adaptive ecosystem, not a domain onto itself. By treating it as a domain, the holistic
value of information in the infosphere is undermined.
To overcome the potential stalemate effect associated with mutual deterrence, the
operational art element of tempo becomes central. Tempo is a crucial element of maneuver
warfare that relies on speed and surprise to attack an enemy’s cyber ecosystem. 71 Tempo dictates
the relative speed and rhythm of offensive and defensive cyber operations over time with respect
to the enemy.72 The need for surprise stems from a desire to circumvent a problem and attack it
from a position of advantage rather than meet it straight on.73 Therefore, as in other forms of
warfare, tempo is valuable in cyber warfare.
Victory in a competitive decision cycle requires one side to understand what is happening
and being able to act faster than the other.74 This axiom is the very essence of John Boyd’s theory
in which he recognizes the need to cycle through a mental model—observe, orient, decide, act
(OODA) loop—at a pace much faster than the enemy.75 Thus in cyber warfare, operational
success would be dependent on speed with the upper hand going to the party with the greater
ability to act or react faster in the highly complex cyber ecosystem.
71US Navy, USMC Doctrine Reference Publication, MCDP 1, Warfighting (Washington, DC, 20 June 1997), 38-40.
72US Army, ADRP 3-0, Unified Land Operations, Army Doctrine Reference Publication (Washington, DC, May 2012), 55.
73US Navy, Warfighting, 38-40. 74Scott Applegate, “The Principle of Maneuver in Cyber Operations”, 185 (2012 4th International
Conference on Cyber Conflict, NATO CCD COE Tallinn, 2012). 75Frans Osinga, Science, Strategy and War: The Strategic Theory of John Boyd, 2, (Delft: Eburon
Academic Publishers, 2005).
29
-
Furthermore, given the limitations of deterrence as a possible operational theory for cyber
warfare it is proposed that, rather than seeking to optimize predictability in a given cyber
ecosystem by increasing the negative feedback effect, the opposite is in fact more desirable. By
decreasing the predictability of one’s cyber ecosystem, one is able to reduce the vulnerability
picture. Thus, the stability and resulting predictability of one’s own cyber ecosystem can decrease
by increasing the positive feedback effect.
Decreased understanding is akin to the introduction of “fog” into one’s own ecosystem in
order to mitigate the adversary’s ability to predict an outcome and thus respond preemptively. In
this regard, cyber decoys can be employed as a classical form of deception to introduce fog from
an adversary’s perspective. Under this paradigm, decoy rules, developed and integrated into the
daily operations of the organization, guide actors within each of the dimensions of a cyber
ecosystem. The problem with this approach, however, is that one must take care to ensure the use
of cyber decoys does not rise to the level of perfidy, the treacherous misleading of an enemy
about his—or your—status under the law.”76
Thus, to decrease the stability and resulting predictability of one’s own cyber ecosystem,
one should seek to increase the positive feedback effects. The increase in positive feedback
effects would, in turn, introduce chaoplexity into the cyber ecosystem—a neologic term created
out of an amalgamation of chaos and complexity theory.77 Moreover, it is through this
phenomenon that a can one can deduce a semblance of coherence in the midst of chaos and
complexity.
76Michael Brett and Thomas Wingfield, “Lawful Cyber Decoy Policy” (International Federation for Information Processing, 8th International Conference on Information Security, Athens, Greece, May, 2003), 4, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.108.7169&rep=rep1&type=pdf (accessed 3 March 2014).
77Antoine Bousquet, “Chaoplexic Warfare or the Future of Military Organization,” International Affairs 84, no. 5 (September 2008): 923, doi:10.1111/inta.2008.84.issue-5 (accessed 15 February 2014).
30
-
Managing the Positive Feedback Effect
As a rule of thumb, a cyber ecosystem is deterministic in nature by virtue of the
antecedent impact of both positive and negative feedback effects. The central tenet of chaoplexity
is that it is at the point of instability that order emerges from chaos. Chaoplexity is the resulting
behavior when chaos presents the possibility of order rather than a threat to order.78
The emergence of chaoplexity in the cyber ecosystem shifts the focus from the traditional
approach of the stabilization and self-regulation of an ecosystem based on the management of
negative feedback effects to the exploitation of the positive feedback effect that leads to the
emergence of chaoplexic behavior.79 Its utility to the current discourse stems from the fact that the
most successful “systems” are those that retain flexibility and openness in the interaction and
organization of their parts within environments, while at the same time eluding complete
predictability. 80 Since the resulting chaoplexic behavior in the cyber ecosystem is not random, it
must be managed. The ability to manage the chaoplexic behavior in the cyber ecosystem is
achieved by identifying and managing the state of the key dimensions, which drive the dynamics
of the whole cyber ecosystem.
The identification of the key dimensions is accomplished by classifying each dimension
of the cyber ecosystem into one of three possible categories based on the predominant role, which
it plays in a cyber ecosystem. These categories are: critical, meaning that the dimension must
always be in place in order for the cyber ecosystem to function; redundant, meaning that it is
never required for the ecosystem to function; and intermittent, meaning that it acts as driver
dimension in some or all parts of the ecosystem.81
78Bousquet, “Chaoplexic Warfare or the Future of Military Organization,” 915-29. 79Ibid. 80Ibid. 81Tao Jia et al., “Emergence of Bimodality in Controlling Complex Networks,” Nature
31
-
In this regard, the key dimension is the human dimension, which drives the dynamics of
the whole cyber ecosystem. This is because the energy flow of intellectual capital manifests itself
in a cyber ecosystem. Recognizing the human dimension as the key dimension to manage
chaoplexic behavior leads to the identification of two potential approaches: centralized and
distributed management.82
In a centralized approach towards managing chaoplexity, one can achieve control of their
cyber ecosystem through a small fraction of all the dimensions specific to their organization. A
distributed approach towards managing chaoplexity requires the distribution and sharing of
responsibility. The obvious consequence of a centralized approach is that an organization, in this
case DOD, can only focus on the security of its own cyber ecosystem because a distributed
approach will require significant resources. More importantly, legal constraints pose a barrier to
DOD’s ability to manage the cyber ecosystem of organizations in the civilian private sector.
Thus, a distributed approach towards managing chaoplexity is required, and this approach should
encompass the civilian private sector. The question now arises: what does this mean for cyber
warfare?
Operational Implications
The overall implication of depicting cyberspace as a complex, adaptive ecosystem rather
than a domain is that it provides an avenue for further understanding of the complexities
associated with operating in cyberspace. It is preferable to manipulate the positive feedback effect
instead of maximizing the negative feedback effect because it would introduce chaoplexity into
one’s cyber ecosystem. The adoption of a distributed approach towards managing chaoplexity in
the cyber ecosystem requires the acknowledgement that the civilian private sector also has a
Communications 4 (18 June 2013): 4, DOI: 10.1038/ncomms3002 (accessed 3 April 2014). 82 Jia et al., “Emergence of Bimodality in Controlling Complex Networks,” 2.
32
_________________________________________________________________________________
-
prominent role to play in cyberspace because DOD relies on infrastructure provided by the
private sector. Since the DOD cannot segregate its cyber ecosystem from the private sector
infrastructure, it must resort to a constant increase of its cyber security posture to counter
emerging threats. This is a defensive approach towards operating in cyberspace.
This brings to the forefront the concern raised about the current US approach to
protecting its computer systems as being “too predictable,” a concern raised in 2011 by the
former Vice Chairman of the US Joint Chiefs of Staff, General Cartwright.83 Specifically his
concern was that the U.S approach is purely defensive with no penalty attached for attacking the
U.S, and this needed to change.84 When the status quo of emphasizing defense is viewed within
the context of a nominal cyber aggressor, such as China, arguments can be made that engaging in
a defensive stance is exactly what China wants the United States to do. This is because the
Chinese approach towards strategy depends on the enticement of technologically superior
opponents into unwittingly adopting a strategy that will lead to their defeat.85
This approach is highlighted in the works of Li Bingyan, one of the most influential and
brilliant contemporary Chinese strategists, in which he provides a perfect analogy of how this is
accomplished. Using the example of a weak mouse (i.e., China) trying to keep track of a huge cat
(i.e., the United States), he asks, “How could a mouse hang a bell around a cat’s neck?” His
answer: “The mouse cannot do this alone or with others. Therefore, the mouse must entice the cat
to put the bell on himself.”86
83Ellen Nakashima, “US Cyber Approach ‘Too Predictable’ for One Top General,” Washington Post, (14 July 2011) http://www.washingtonpost.com/national/national-security/us-cyber-approach-too-predictable-for-one-top-general/2011/07/14/gIQAYJC6EI_story.html (accessed 23 March 2014).
84Ibid. 85Attributed to Li Bingyan, Applying Military Strategy in the Age of the New Revolution in
Military Affairs, by Timothy L. Thomas, “The Chinese Military Strategic Mindset,” Military Review 47 (Nov-Dec 2007), http://fmso.leavenworth.army.mil/documents/chinese-mind-set.pdf.
86Timothy L. Thomas, “The Chinese Military Strategic Mindset,” Military Review, 47 (Nov-Dec
33
-
Essentially, what is happening is that it is very plausible that China has deliberately
sought to foster the creation of a flawed US narrative for operating in cyberspace—a narrative
that emphasizes cyber security. Public record accounts attribute most cyber attacks against USG,
as well as private sector-owned computer systems, to the Chinese government, and the military
supports this assertion.87 This observation is critical because it illustrates China’s emphasis of the
indirect approach towards gaining the upper hand. This indirect approach typifies the Chinese
stratagem of deception.
Precision as an Operational Art Element in Cyberspace Operations
The ability to successfully manage the positive feedback effects suggest that a new
operational art element specific to the cyber realm would apply—the operational art element of
precision. Delivering precision effects is the intended outcome of offensive operations.88 For
conventional kinetic weapons, precision effects are synonymous with low-collateral damage. In
cyber operations, operators typically rely on intuitive estimates, which depend in large part on the
experience and expertise of the operator. Given the heavy reliance on intuition, the need for
intellectual capital development remains critical. Furthermore, since it is impossible to know
precisely the future of any phenomena, except the probabilities that lay ahead, the focus of effort
in ensuring precision as is to increase probabilistic confidence levels during cyberspace
operations.89
2007), http://fmso.leavenworth.army.mil/documents/chinese-mind-set.pdf (accessed 3 April 2014). 87US Office of the Secretary Of Defense, Military and Security Developments Involving the
People’s Republic of China 201 3: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2000, 113th Cong., Report (Washington, DC, 2013).
88Kamal Jabbour, “The Science and Technology of Cyber Operations” (Air, Space, and Cyberspace Power in the 21st Century 38th IFPA-Fletcher Conference on National Security Strategy and Policy, 20 January 2010), http://www.ifpafletcherconference.com/2010/transcripts/session4_Jabbour.pdf (accessed 5 April 2014).
89Everett C. Dolman, Pure Strategy: Power and Principle in the Space and Information Age,
34
_________________________________________________________________________________
-
US Policy Implications
The current integration of USG assets with civilian systems makes segregation
impossible and creates a responsibility for the US to protect those civilian networks, services, and
communications.90 To accomplish this, the USG has largely adopted cyber security as a key
theme of its undeclared and unofficial policy for operating in cyberspace. Although inextricably
linked, cyber security and cyber warfare represent two somewhat opposing concepts. Where
cyber security is primarily defensive in nature, cyber warfare is both offensive and defensive in
nature. The crosscutting concern for both cyber security and warfare is “defense.” It is only
logical the emphasis of the USG official policy position would center on a defensive approach
towards operating in cyberspace. The current efforts, although necessary and beneficial, attempt
to increase the negative feedback effect in order to make the US cyber infrastructure more
resilient to cyber attacks. The implications of this approach require a never-ending cycle of
building in mechanisms to protect its cyber infrastructure.
To develop a more plausible narrative for operating in cyberspace, the US must switch
focus. In order to do this it need not look any further than the old adage, which states that the best
form of defense is attack. This suggests that adopting a policy position that is primarily offensive
in nature better serves the US, especially in regards to the protection of the cyber ecosystems of
the private sector. The fact that most, if not all, of the underlying infrastructure for seamless cyber
interactions are controlled and managed by non-state entities means that the USG most recognize
the power of the private sector in cyberspace.91 Simply put, offensive cyber attacks should not be
limited to only the authorized entities of the United States military. Excerpts from a paper
Vol. 6 of Cass Series-Strategy and History (London: Frank Cass, 2005), 101. 90Jensen, “Cyber Warfare and Precautions against the Effects of Attacks.” 91Choucri and Clark, “Cyberspace and International Relations towards an Integrated System,” 33.
35
_________________________________________________________________________________
-
presented to the Judiciary Committee’s Subcommittee on Crime and Terrorism further
emphasizes this position. In the paper, the author Stewart A. Baker, a partner of Steptoe &
Johnson LLP, described the actual defensive approach of cyber security with following metaphor:
We are not likely going to defend our way out of this problem. . . . In short, we can’t defend our way out of this fix, any more than we could solve the problem of street crime by firing our police and making pedestrians buy better body armor every year. . . . I’m not calling for vigilantism, I’m not calling for lynch mobs. But we need to find a way to give the firms doing these investigations authority to go beyond their network. . . . If we don’t do that we will never get to the bottom of most of these attacks.”92
Such an offensive minded policy, if adopted, would enable the application of special
offensive techniques to mitigate cyber threats such as the use of intr